Thanks a lot for helping. I missed this line indeed. I now changed the subsystem to: Subsystem sftp internal-sftp
If I comment out the chrootdirectory in the match block, I can instantly connect without problems. So I still must have forgotten something ... but i don't know what? In my chroot (/home/chroot/), I have /home/chroot/dev/log. I did not copy and binaries/libs into the chroot as it is NOT required (or I misunderstood the manual page????): Quote from the sshd_config manual, ChrootDirectory section: "For file transfer sessions using ``sftp'', no additional configuration of the environment is necessary if the in-process sftp server is used, though sessions which use logging do require /dev/log inside the chroot directory (see sftp-server(8) for details)." Syslogd has the following flags in rc.conf.local: syslogd_flags="-a /home/chroot/dev/log" Unfortunately it still doesn't work ... $ sftp -P 2222 sync@localhost Connection closed Here is the sshd output: debug2: load_server_config: filename /etc/ssh/sshd_config debug2: load_server_config: done config len = 584 debug2: parse_server_config: config /etc/ssh/sshd_config len 584 debug3: /etc/ssh/sshd_config:39 setting PermitRootLogin no debug3: /etc/ssh/sshd_config:42 setting MaxAuthTries 3 debug3: /etc/ssh/sshd_config:50 setting AuthorizedKeysFile .ssh/authorized_keys debug3: /etc/ssh/sshd_config:69 setting PasswordAuthentication no debug3: /etc/ssh/sshd_config:95 setting UsePrivilegeSeparation sandbox debug3: /etc/ssh/sshd_config:109 setting Banner /etc/ssh/banner debug3: /etc/ssh/sshd_config:113 setting Subsystem sftp internal-sftp debug3: /etc/ssh/sshd_config:115 setting AllowGroups ssh debug3: checking syntax for 'Match Address 192.168.178.0/24' debug3: checking syntax for 'Match Group remote-sync, Address 127.0.0.1' debug1: sshd version OpenSSH_6.2, OpenSSL 1.0.1c 10 May 2012 debug3: Incorrect RSA1 identifier debug1: read PEM private key done: type RSA debug1: private host key: #0 type 1 RSA debug3: Incorrect RSA1 identifier debug1: read PEM private key done: type DSA debug1: private host key: #1 type 2 DSA debug3: Incorrect RSA1 identifier debug1: read PEM private key done: type ECDSA debug1: private host key: #2 type 3 ECDSA debug1: rexec_argv[0]='/usr/sbin/sshd' debug1: rexec_argv[1]='-p' debug1: rexec_argv[2]='2222' debug1: rexec_argv[3]='-f' debug1: rexec_argv[4]='/etc/ssh/sshd_config' debug1: rexec_argv[5]='-D' debug1: rexec_argv[6]='-ddd' debug2: fd 3 setting O_NONBLOCK debug1: Bind to port 2222 on 0.0.0.0. Server listening on 0.0.0.0 port 2222. debug2: fd 4 setting O_NONBLOCK debug1: Bind to port 2222 on ::. Server listening on :: port 2222. debug1: fd 5 clearing O_NONBLOCK debug1: Server will not fork when running in debugging mode. debug3: send_rexec_state: entering fd = 8 config len 584 debug3: ssh_msg_send: type 0 debug3: send_rexec_state: done debug1: rexec start in 5 out 5 newsock 5 pipe -1 sock 8 debug1: inetd sockets after dupping: 3, 3 Connection from 127.0.0.1 port 46864 debug1: Client protocol version 2.0; client software version OpenSSH_6.2 debug1: match: OpenSSH_6.2 pat OpenSSH* debug1: Enabling compatibility mode for protocol 2.0 debug1: Local version string SSH-2.0-OpenSSH_6.2 debug2: fd 3 setting O_NONBLOCK debug3: ssh_sandbox_init: preparing systrace sandbox debug2: Network child is on pid 30531 debug3: ssh_sandbox_parent: wait for child 30531 debug3: ssh_sandbox_parent: child 30531 stopped debug3: ssh_sandbox_parent: systrace attach, fd=9 debug3: ssh_sandbox_parent: policy: enable syscall 1 debug3: ssh_sandbox_parent: policy: enable syscall 3 debug3: ssh_sandbox_parent: policy: enable syscall 4 debug3: ssh_sandbox_parent: policy: enable syscall 5 debug3: ssh_sandbox_parent: policy: enable syscall 6 debug3: ssh_sandbox_parent: policy: enable syscall 20 debug3: ssh_sandbox_parent: policy: enable syscall 48 debug3: ssh_sandbox_parent: policy: enable syscall 73 debug3: ssh_sandbox_parent: policy: enable syscall 74 debug3: ssh_sandbox_parent: policy: enable syscall 75 debug3: ssh_sandbox_parent: policy: enable syscall 93 debug3: ssh_sandbox_parent: policy: enable syscall 116 debug3: ssh_sandbox_parent: policy: enable syscall 197 debug3: ssh_sandbox_parent: policy: enable syscall 202 debug3: ssh_sandbox_parent: policy: enable syscall 252 debug3: ssh_sandbox_parent: policy: enable syscall 286 debug3: ssh_sandbox_parent: start child 30531 debug3: preauth child monitor started debug3: privsep user:group 27:27 [preauth] debug1: permanently_set_uid: 27/27 [preauth] debug3: ssh_sandbox_child: ready [preauth] debug3: ssh_sandbox_child: started [preauth] debug1: list_hostkey_types: ssh-rsa,ssh-dss,ecdsa-sha2-nistp256 [preauth] debug1: SSH2_MSG_KEXINIT sent [preauth] debug1: SSH2_MSG_KEXINIT received [preauth] debug2: kex_parse_kexinit: ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 [preauth] debug2: kex_parse_kexinit: ssh-rsa,ssh-dss,ecdsa-sha2-nistp256 [preauth] debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-...@openssh.com,aes256-...@openssh.com,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-...@lysator.liu.se [preauth] debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-...@openssh.com,aes256-...@openssh.com,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-...@lysator.liu.se [preauth] debug2: kex_parse_kexinit: hmac-md5-...@openssh.com,hmac-sha1-...@openssh.com,umac-64-...@openssh.com,umac-128-...@openssh.com,hmac-sha2-256-...@openssh.com,hmac-sha2-512-...@openssh.com,hmac-ripemd160-...@openssh.com,hmac-sha1-96-...@openssh.com,hmac-md5-96-...@openssh.com,hmac-md5,hmac-sha1,umac...@openssh.com,umac-...@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd...@openssh.com,hmac-sha1-96,hmac-md5-96 [preauth] debug2: kex_parse_kexinit: hmac-md5-...@openssh.com,hmac-sha1-...@openssh.com,umac-64-...@openssh.com,umac-128-...@openssh.com,hmac-sha2-256-...@openssh.com,hmac-sha2-512-...@openssh.com,hmac-ripemd160-...@openssh.com,hmac-sha1-96-...@openssh.com,hmac-md5-96-...@openssh.com,hmac-md5,hmac-sha1,umac...@openssh.com,umac-...@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd...@openssh.com,hmac-sha1-96,hmac-md5-96 [preauth] debug2: kex_parse_kexinit: none,z...@openssh.com [preauth] debug2: kex_parse_kexinit: none,z...@openssh.com [preauth] debug2: kex_parse_kexinit: [preauth] debug2: kex_parse_kexinit: [preauth] debug2: kex_parse_kexinit: first_kex_follows 0 [preauth] debug2: kex_parse_kexinit: reserved 0 [preauth] debug2: kex_parse_kexinit: ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group-exchange-sha1,diffie-hellman-group14-sha1,diffie-hellman-group1-sha1 [preauth] debug2: kex_parse_kexinit: ecdsa-sha2-nistp256-cert-...@openssh.com,ecdsa-sha2-nistp384-cert-...@openssh.com,ecdsa-sha2-nistp521-cert-...@openssh.com,ssh-rsa-cert-...@openssh.com,ssh-dss-cert-...@openssh.com,ssh-rsa-cert-...@openssh.com,ssh-dss-cert-...@openssh.com,ecdsa-sha2-nistp256,ecdsa-sha2-nistp384,ecdsa-sha2-nistp521,ssh-rsa,ssh-dss [preauth] debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-...@openssh.com,aes256-...@openssh.com,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-...@lysator.liu.se [preauth] debug2: kex_parse_kexinit: aes128-ctr,aes192-ctr,aes256-ctr,arcfour256,arcfour128,aes128-...@openssh.com,aes256-...@openssh.com,aes128-cbc,3des-cbc,blowfish-cbc,cast128-cbc,aes192-cbc,aes256-cbc,arcfour,rijndael-...@lysator.liu.se [preauth] debug2: kex_parse_kexinit: hmac-md5-...@openssh.com,hmac-sha1-...@openssh.com,umac-64-...@openssh.com,umac-128-...@openssh.com,hmac-sha2-256-...@openssh.com,hmac-sha2-512-...@openssh.com,hmac-ripemd160-...@openssh.com,hmac-sha1-96-...@openssh.com,hmac-md5-96-...@openssh.com,hmac-md5,hmac-sha1,umac...@openssh.com,umac-...@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd...@openssh.com,hmac-sha1-96,hmac-md5-96 [preauth] debug2: kex_parse_kexinit: hmac-md5-...@openssh.com,hmac-sha1-...@openssh.com,umac-64-...@openssh.com,umac-128-...@openssh.com,hmac-sha2-256-...@openssh.com,hmac-sha2-512-...@openssh.com,hmac-ripemd160-...@openssh.com,hmac-sha1-96-...@openssh.com,hmac-md5-96-...@openssh.com,hmac-md5,hmac-sha1,umac...@openssh.com,umac-...@openssh.com,hmac-sha2-256,hmac-sha2-512,hmac-ripemd160,hmac-ripemd...@openssh.com,hmac-sha1-96,hmac-md5-96 [preauth] debug2: kex_parse_kexinit: z...@openssh.com,zlib,none [preauth] debug2: kex_parse_kexinit: z...@openssh.com,zlib,none [preauth] debug2: kex_parse_kexinit: [preauth] debug2: kex_parse_kexinit: [preauth] debug2: kex_parse_kexinit: first_kex_follows 0 [preauth] debug2: kex_parse_kexinit: reserved 0 [preauth] debug2: mac_setup: found hmac-md5-...@openssh.com [preauth] debug1: kex: client->server aes128-ctr hmac-md5-...@openssh.com z...@openssh.com [preauth] debug2: mac_setup: found hmac-md5-...@openssh.com [preauth] debug1: kex: server->client aes128-ctr hmac-md5-...@openssh.com z...@openssh.com [preauth] debug1: expecting SSH2_MSG_KEX_ECDH_INIT [preauth] debug3: mm_key_sign entering [preauth] debug3: mm_request_send entering: type 6 [preauth] debug3: mm_key_sign: waiting for MONITOR_ANS_SIGN [preauth] debug3: mm_request_receive_expect entering: type 7 [preauth] debug3: mm_request_receive entering [preauth] debug3: mm_request_receive entering debug3: monitor_read: checking request 6 debug3: mm_answer_sign debug3: mm_answer_sign: signature 0x1fdc8b7ce280(99) debug3: mm_request_send entering: type 7 debug2: monitor_read: 6 used once, disabling now debug2: kex_derive_keys [preauth] debug2: set_newkeys: mode 1 [preauth] debug1: SSH2_MSG_NEWKEYS sent [preauth] debug1: expecting SSH2_MSG_NEWKEYS [preauth] debug2: set_newkeys: mode 0 [preauth] debug1: SSH2_MSG_NEWKEYS received [preauth] debug1: KEX done [preauth] debug1: userauth-request for user sync service ssh-connection method none [preauth] debug1: attempt 0 failures 0 [preauth] debug3: mm_getpwnamallow entering [preauth] debug3: mm_request_send entering: type 8 [preauth] debug3: mm_getpwnamallow: waiting for MONITOR_ANS_PWNAM [preauth] debug3: mm_request_receive_expect entering: type 9 [preauth] debug3: mm_request_receive entering [preauth] debug3: mm_request_receive entering debug3: monitor_read: checking request 8 debug3: mm_answer_pwnamallow debug3: Trying to reverse map address 127.0.0.1. debug2: parse_server_config: config reprocess config len 584 debug3: checking match for 'Address 192.168.178.0/24' user sync host localhost addr 127.0.0.1 laddr 127.0.0.1 lport 2222 debug3: match not found debug3: checking match for 'Group remote-sync, Address 127.0.0.1' user sync host localhost addr 127.0.0.1 laddr 127.0.0.1 lport 2222 debug1: user sync matched group list remote-sync, at line 125 debug1: connection from 127.0.0.1 matched 'Address 127.0.0.1' at line 125 debug3: match found debug3: reprocess config:126 setting ChrootDirectory /home/chroot debug3: reprocess config:127 setting ForceCommand internal-sftp -f LOCAL0 -l INFO debug3: reprocess config:128 setting AllowAgentForwarding no debug3: reprocess config:129 setting AllowTcpForwarding no debug3: reprocess config:130 setting GatewayPorts no debug3: reprocess config:131 setting X11Forwarding no debug3: mm_answer_pwnamallow: sending MONITOR_ANS_PWNAM: 1 debug3: mm_request_send entering: type 9 debug2: monitor_read: 8 used once, disabling now debug2: input_userauth_request: setting up authctxt for sync [preauth] debug3: mm_inform_authserv entering [preauth] debug3: mm_request_send entering: type 4 [preauth] debug3: mm_auth2_read_banner entering [preauth] debug3: mm_request_send entering: type 10 [preauth] debug3: mm_request_receive_expect entering: type 11 [preauth] debug3: mm_request_receive entering [preauth] debug3: mm_request_receive entering debug3: monitor_read: checking request 4 debug3: mm_answer_authserv: service=ssh-connection, style= debug2: monitor_read: 4 used once, disabling now debug3: mm_request_receive entering debug3: monitor_read: checking request 10 debug3: mm_request_send entering: type 11 debug2: monitor_read: 10 used once, disabling now debug1: userauth_banner: sent [preauth] debug2: input_userauth_request: try method none [preauth] debug3: userauth_finish: failure partial=0 next methods="publickey,keyboard-interactive" [preauth] debug1: userauth-request for user sync service ssh-connection method publickey [preauth] debug1: attempt 1 failures 0 [preauth] debug2: input_userauth_request: try method publickey [preauth] debug1: test whether pkalg/pkblob are acceptable [preauth] debug3: mm_key_allowed entering [preauth] debug3: mm_request_send entering: type 22 [preauth] debug3: mm_key_allowed: waiting for MONITOR_ANS_KEYALLOWED [preauth] debug3: mm_request_receive_expect entering: type 23 [preauth] debug3: mm_request_receive entering [preauth] debug3: mm_request_receive entering debug3: monitor_read: checking request 22 debug3: mm_answer_keyallowed entering debug3: mm_answer_keyallowed: key_from_blob: 0x1fdc81253400 debug1: temporarily_use_uid: 1001/999 (e=0/0) debug1: trying public key file /home/chroot/home/sync/.ssh/authorized_keys debug1: fd 4 clearing O_NONBLOCK debug1: matching key found: file /home/chroot/home/sync/.ssh/authorized_keys, line 3 Found matching RSA key: c9:99:a7:86:9c:52:08:c9:1b:2f:7e:7d:94:f4:e0:af debug1: restore_uid: 0/0 debug3: mm_answer_keyallowed: key 0x1fdc81253400 is allowed debug3: mm_request_send entering: type 23 debug2: userauth_pubkey: authenticated 0 pkalg ssh-rsa [preauth] Postponed publickey for sync from 127.0.0.1 port 46864 ssh2 [preauth] debug1: userauth-request for user sync service ssh-connection method publickey [preauth] debug1: attempt 2 failures 0 [preauth] debug2: input_userauth_request: try method publickey [preauth] debug3: mm_key_allowed entering [preauth] debug3: mm_request_send entering: type 22 [preauth] debug3: mm_key_allowed: waiting for MONITOR_ANS_KEYALLOWED [preauth] debug3: mm_request_receive_expect entering: type 23 [preauth] debug3: mm_request_receive entering [preauth] debug3: mm_request_receive entering debug3: monitor_read: checking request 22 debug3: mm_answer_keyallowed entering debug3: mm_answer_keyallowed: key_from_blob: 0x1fdc81253000 debug1: temporarily_use_uid: 1001/999 (e=0/0) debug1: trying public key file /home/chroot/home/sync/.ssh/authorized_keys debug1: fd 4 clearing O_NONBLOCK debug1: matching key found: file /home/chroot/home/sync/.ssh/authorized_keys, line 3 Found matching RSA key: c9:99:a7:86:9c:52:08:c9:1b:2f:7e:7d:94:f4:e0:af debug1: restore_uid: 0/0 debug3: mm_answer_keyallowed: key 0x1fdc81253000 is allowed debug3: mm_request_send entering: type 23 debug3: mm_key_verify entering [preauth] debug3: mm_request_send entering: type 24 [preauth] debug3: mm_key_verify: waiting for MONITOR_ANS_KEYVERIFY [preauth] debug3: mm_request_receive_expect entering: type 25 [preauth] debug3: mm_request_receive entering [preauth] debug3: mm_request_receive entering debug3: monitor_read: checking request 24 debug1: ssh_rsa_verify: signature correct debug3: mm_answer_keyverify: key 0x1fdc81253f00 signature verified debug3: mm_request_send entering: type 25 Accepted publickey for sync from 127.0.0.1 port 46864 ssh2 debug1: monitor_child_preauth: sync has been authenticated by privileged process debug3: mm_get_keystate: Waiting for new keys debug3: mm_request_receive_expect entering: type 26 debug3: mm_request_receive entering debug3: mm_newkeys_from_blob: 0x1fdc81fa8600(150) debug2: mac_setup: found hmac-md5-...@openssh.com debug3: mm_get_keystate: Waiting for second key debug3: mm_newkeys_from_blob: 0x1fdc861f4800(150) debug2: mac_setup: found hmac-md5-...@openssh.com debug3: mm_get_keystate: Getting compression state debug3: mm_get_keystate: Getting Network I/O buffers debug2: userauth_pubkey: authenticated 1 pkalg ssh-rsa [preauth] debug1: Enabling compression at level 6. [preauth] debug3: mm_send_keystate: Sending new keys: 0x1fdc89ca4800 0x1fdc89ca4400 [preauth] debug3: mm_newkeys_to_blob: converting 0x1fdc89ca4800 [preauth] debug3: mm_newkeys_to_blob: converting 0x1fdc89ca4400 [preauth] debug3: mm_send_keystate: New keys have been sent [preauth] debug3: mm_send_keystate: Sending compression state [preauth] debug3: mm_request_send entering: type 26 [preauth] debug3: mm_send_keystate: Finished sending state [preauth] debug1: monitor_read_log: child log fd closed debug3: mm_share_sync: Share sync debug3: mm_share_sync: Share sync end debug3: ssh_sandbox_parent_finish: finished User child is on pid 3388 debug3: safely_chroot: checking '/' debug3: safely_chroot: checking '/home/' debug3: safely_chroot: checking '/home/chroot' Changed root directory to "/home/chroot" debug2: set_newkeys: mode 0 debug2: set_newkeys: mode 1 debug1: Entering interactive session for SSH2. debug2: fd 5 setting O_NONBLOCK debug2: fd 6 setting O_NONBLOCK debug1: server_init_dispatch_20 debug1: server_input_channel_open: ctype session rchan 1 win 2097152 max 32768 debug1: input_session_request debug1: channel 0: new [server-session] debug2: session_new: allocate (allocated 0 max 10) debug3: session_unused: session id 0 unused debug1: session_new: session 0 debug1: session_open: channel 0 debug1: session_open: session 0: link with channel 0 debug1: server_input_channel_open: confirm session debug1: server_input_channel_req: channel 0 request subsystem reply 1 debug1: session_by_channel: session 0 channel 0 debug1: session_input_channel_req: session 0 req subsystem subsystem request for sftp by user sync debug1: subsystem: internal-sftp debug1: Forced command (config) 'internal-sftp -f LOCAL0 -l INFO ' debug2: fd 3 setting TCP_NODELAY debug3: packet_set_tos: set IP_TOS 0x08 debug2: fd 9 setting O_NONBLOCK debug2: fd 8 setting O_NONBLOCK debug2: fd 11 setting O_NONBLOCK debug2: channel 0: read 74 from efd 11 debug3: channel 0: discard efd debug1: Received SIGCHLD. debug1: session_by_pid: pid 13822 debug1: session_exit_message: session 0 channel 0 pid 13822 debug2: channel 0: request exit-status confirm 0 debug1: session_exit_message: release channel 0 debug2: channel 0: write failed debug2: channel 0: close_write debug2: channel 0: send eow debug2: channel 0: output open -> closed debug2: channel 0: read<=0 rfd 9 len 0 debug2: channel 0: read failed debug2: channel 0: close_read debug2: channel 0: input open -> drain debug2: channel 0: read 0 from efd 11 debug2: channel 0: closing read-efd 11 debug2: channel 0: ibuf empty debug2: channel 0: send eof debug2: channel 0: input drain -> closed debug2: channel 0: send close debug2: notify_done: reading debug3: channel 0: will not send data after close debug2: channel 0: rcvd close debug3: channel 0: will not send data after close debug2: channel 0: is dead debug2: channel 0: gc: notify user debug1: session_by_channel: session 0 channel 0 debug1: session_close_by_channel: channel 0 child 0 debug1: session_close: session 0 pid 0 debug3: session_unused: session id 0 unused debug2: channel 0: gc: user detached debug2: channel 0: is dead debug2: channel 0: garbage collecting debug1: channel 0: free: server-session, nchannels 1 debug3: channel 0: status: The following connections are open: #0 server-session (t4 r1 i3/0 o3/0 fd -1/-1 cc -1) Received disconnect from 127.0.0.1: 11: disconnected by user debug1: do_cleanup debug3: mm_request_receive entering debug1: do_cleanup On 8 April 2013 12:48, Manolis Tzanidakis <mtzanida...@gmail.com> wrote: > On Sun (07/04/13), Didier Wiroth wrote: >> Hello, > > Hey there > >> (running current with OpenSSH_6.2, OpenSSL 1.0.1c 10 May 2012) >> I'm trying to setup chrootdirectory in sshd_config as a test configuration >> without success. >> Here is a snip from my sshd_config >> ---- >> #(this is the default line) >> Subsystem sftp /usr/libexec/sftp-server > > You should change this line to: > > Subsystem sftp internal-sftp > > and it should work. > > -- > Manolis Tzanidakis > http://mtzanidakis.com/ > mtzanidakis[at]gmail[dot]com > -- Didier Wiroth